I'm a privacy pragmatist, writing about the intersection of law, technology, social media and our personal information. If you have story ideas or tips, e-mail me at khill@forbes.com. PGP key here.
These days, I'm a senior online editor at Forbes. I was previously an editor at Above the Law, a legal blog, relying on the legal knowledge gained from two years working for corporate law firm Covington & Burling -- a Cliff's Notes version of law school.
In the past, I've been found slaving away as an intern in midtown Manhattan at The Week Magazine, in Hong Kong at the International Herald Tribune, and in D.C. at the Washington Examiner. I also spent a few years traveling the world managing educational programs for international journalists for the National Press Foundation.
I have few illusions about privacy -- feel free to follow me on Twitter: kashhill, subscribe to me on Facebook, Circle me on Google+, or use Google Maps to figure out where the Forbes San Francisco bureau is, and come a-knockin'.

Facebook Keeps A History Of Everyone Who Has Ever Poked You, Along With A Lot Of Other Data

Across the pond, European law grants citizens a “right to access,” meaning that companies have to provide a person with all of the personal data they have on them if they request it. An Austrian-based group called Europe v. Facebook has posted a couple of the reports compiled by the social networking giant everyone loves (and loves to hate).

Facebook doesn't forget pokes

Most of you probably know that Facebook knows a lot about you. But did you know that if you were to print it out, it might take up about 880 pages? I went through one of the lengthy dossiers from Europe v. Facebook. Here are the juicy bits for a female Facebook user with the initials ‘L.B.’ who has been a member of the site since 2007:

Facebook keeps track of every person who has ever poked you. Facebook user L.B. has been poked over 50 times from 2008 through 2011 (K.D. was a frequent poker in 2008, though a user by the initials T.V. is currently the pokiest of L.B.’s friends).

Facebook keeps track of the devices associated with your account

The report includes a list of the machines that L.B. has used Facebook from, how often she has signed in from the machine, as well as a list of all the other Facebookers who have logged in on that machine. As pointed out recently by blogger Nik Cubrilovic, Facebook leaves cookies on computers that have the ability to track users even when they’re logged out of Facebook. Facebook now plans to scale back that cookie use, but it still will want information about who’s signing in on which machines to thwart hackers, block spammers, and know which computers are in Internet cafes, for example. Given the hundreds of millions of users the company has, “Facebook is pretty much indexing all computers worldwide,” says Max Schrems of Europe v. Facebook.

Facebook keeps track of every event you’ve ever been invited to, and how you responded to the invitation. L.B. has attended about 29 events since 2009, has declined nine invitations since 2010, and has failed to RSVP at all to about 75 events dating back to 2007 (how rude!). The inviter, location and name of the events have been blacked out on the report posted to Europe v. Facebook’s site for privacy reasons.

A list of exes?

Facebook keeps track of everyone you defriended and when. As some have pointed out, the Facebook Timeline will also expose this information to anyone who’s interested. L.B. has removed over a dozen of her friends over the years. The Facebook report also includes a list of friend requests that L.B. rejected.

Facebook includes a history of messages and chats in the report. Europe v. Facebook says that some users say their reports include messages they’ve deleted.

If you want to see all 880 glorious pages yourself, you can download the file here [pdf]. It also includes things you’d expect, like a list of all of L.B.’s friends and personal information from her profile page.

(What I was surprised not to see here was a list of the things that L.B. had looked at and/or clicked, such as other peoples’ profile pages, photos, or status updates. As we have seen before, that is something Facebook knows about its users. Update, Sept. 28: While “real-time activities” are missing from L.B.’s report, you will see them in another report on the site, for M.S.)

So, just keep this in mind next time you’re on Facebook. All your pokes are going into a permanent record.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Well, now do people finally believe that facebook is a goldmine of information? This is both good and bad–but are you really okay with all your information being sold to various companies both good and bad? Facebook has become so successful because of this–users freely give out their personal information while using the site and don’t even think twice about it.

On Yahoo! News the other day there was an article about the new Social Network called OnlyMeWorld that is giving users the privacy they have been looking for by never asking for any personal information. It’s an amazing new tool for social networking with anonymity!

True. But some of the information here doesn’t seem all that useful for advertising purposes (such as the history of pokes). I see it more as a question of what should be subject to data retention. There’s a big push in the privacy world for companies to purge data they keep unnecessarily.

Facebook works in the exact same way every web application does regarding what and how it records data. The ‘poke’ feature wouldn’t work if it didn’t record it permanently. Its unfortunate that this would come as a surprise to anyone, but if it does, I appreciate the effort to educate people about the Internet. However, the scaremongering tone of the article is completely uncalled for. If people are concerned about information like pokes, messages, and IP addresses being permanently recorded by a web application they chose to use, then you should seriously consider not using the internet at all. Stop pointing fingers at only Facebook and scaremongering. This is, from a technical perspective, how the Internet and web applications work.

I’m not going for a scaremongering tone here. I meant for this post to be educational — I think many privacy concerns are allayed by full disclosure (as long as that disclosure doesn’t reveal nefarious practices).

I have to agree with @jcherry84 here: your tone implies that we need to look over our shoulders before doing anything on Facebook.

All of the above things that are recorded are recorded for a functional purpose: IPs are tracked for login security, event activity is tracked in the event of revisitation, poke activity is tracked for the sake of its being an active poke until you poke back, and message history is kept in the event crimes need to be investigated.

The publishing of this article is on par with complaining that this photo of you and a drunk Japanese man should not be kept on Facebook’s servers: https://fbcdn-sphotos-a.akamaihd.net/photos-ak-ash1/v166/61/116/636825596/n636825596_1935207_6639.jpg

I have to agree with @jcherry84 here: your tone implies that we need to look over our shoulders before doing anything on Facebook.

All of the above things that are recorded are recorded for a functional purpose: IPs are tracked for login security, event activity is tracked in the event of revisitation, poke activity is tracked for the sake of its being an active poke until you poke back, and message history is kept in the event crimes need to be investigated.

The publishing of this article is on par with complaining that this photo of you and a drunk Japanese man should not be kept on Facebook’s servers: https://fbcdn-sphotos-a.akamaihd.net/photos-ak-ash1/v166/61/116/636825596/n636825596_1935207_6639.jpg

My intention is to make people aware of how their activity is tracked. I don’t mean to be alarmist, but rather informative. Many people don’t think about these things (though that’s steadily changing, thanks in part to obvious data retention by Google and Facebook rather than the behind-the-scenes retention by insurers, credit cards, loyalty programs, and credit bureaus) so they may be “alarmed” to read it. But as people become more educated about what’s tracked, what’s not, and how the information might be used in the future, we’ll have fewer privacy freak-outs.

I would absolutely not complain about that photo being exposed. (The settings on my 2007 Tokyo Trip photo album allows “Friends of Friends” to see it, so I assume you are one of those.) I, in general, do not post anything on Facebook that I wouldn’t be fine with anyone in the world seeing.

i dont believe the tone implies fear but rather that you should be aware of the data you post rather than expose yourself without consideration.

Facebook and all social networks are merely a community notice board. Would you detail your movements, photos, friends, consumer tendencies and more on a big poster in the middle of your town for everyone to see? And then describe the path from your house to the poster and the times you visit the poster to add more detail?

The privacy settings you put in place are a thin veil to infer security but that is all. The information is still present, and still being recorded.

No one is intending to scare people, just be aware of the information you give away for free rather than blindly believe any company is collecting this to make your life easier.